Radware Cloud Security Services
3 likes2,351 views
Radware provides cloud-based web application firewall (WAF) and distributed denial of service (DDoS) protection services to help organizations address evolving security threats. The services use Radware's security technologies and are fully managed by Radware security experts. The WAF service provides continuously adaptive protection against known and unknown attacks. The DDoS service offers over 2Tbps of mitigation capacity and has protected organizations from large multi-vector DDoS campaigns. Both services are designed to provide strong security with minimal management requirements.
Radware Cloud Security Services
- 1. May 16, 2016 Radware Cloud Security Services Real World Threats Meet Real World Protection
- 2. About Radware 2 Market Leader in Application Availability solutions >$200M RevenueAwarded Best Managed Security Service 2016 Chosen by Cisco Firepower 9300 and Checkpoint NG Firewall appliances as OEM partner
- 3. Introducing Radware’s Cloud Security Services 3 Cloud WAF Service Cloud DDoS Protection Service Hybrid | Always-On | On-Demand Full enterprise-grade cloud protection services that protect from multi-vector threats to prevent outage and minimize service-level degradation
- 4. The New Reality of Application Security
- 5. The Web Security Challenge It’s like trying to hit a moving target. ALWAYS. ALL THE TIME. Ever Evolving Threats Ever Evolving Applications Ever Limiting Resources 5
- 6. Ever Evolving Threats Exponential 10X growth cyber-crime alone costing the global economy approximately $445 billion a year. Swiss-based encrypted email service provider Real-Life Example: Back-to-back attacks for over 14 days High volume attack between 30-100 GB Up to 8 simultaneous attack vectors every day Radware deployed emergency service a few days into the campaign and was able to mitigate the attacks In new malware programs since 2012 Source: www.av-test.org More than 35% experienced SSL-based attacks in Y2015 Source: Radware Global Application & Network Security Report, 2016 An increase of more than 60% since 2010 in the number of new vulnerabilities every year Source: National Vulnerability Database (NVD) Almost 100% of attack campaigns today are multi-vector campaigns Source: Radware Emergency Response Team 6
- 7. Ever Evolving Applications The world has moved to continuous application delivery Most successful applications release 1-4 updates a month Source: savvyapps.com The number of distributed teams that practice Agile has doubled this year, rising from 35% to 76% Source: Versionone research Nearly 57% of organizations have adopted Agile methodology Source: Versionone research teams Practice Agile 76% adopted Agile 57% releases a Month 1-4 7
- 8. Ever Limiting Resources 45% experience difficulty to find the qualified personnel they require Source: The 2015 (ISC)² Global Information Security Workforce Study by Frost&Sullivan 54% of IT security employers experiencing a talent shortage say that it has a medium or high impact on their ability to meet client needs Source: HP IT Security Jobs Report, 2014 70% of respondents say their organizations do not have enough IT security staff Source: HP IT Security Jobs Report, 2014 looking for qualified personnel 45%experiencing impact on meeting client needs 54% need IT security staff 70% 8
- 9. Radware Cloud Security Services At a Glance
- 10. Radware Cloud Security Services Ever Evolving Threats Ever Evolving Applications Ever Limiting Resources Automatically adapting to evolving threats and applications Continuously Adaptive Widest security coverage with the shortest time to protect Unmatched Protection Fully managed cloud service Fully Managed 10
- 11. Continuously Adaptive Cloud Security Service Automatically detect & mitigate zero-day attacks Automatically detect & mitigate zero-day attacks Automatically detect & protect new applications Automatically identify & block attacks regardless of source IP 11
- 12. Multi-layered protection covering all attack types Unmatched Protection 12 Widest Security Coverage Unique SSL-Based Attack Mitigation Negative + Positive Models Network-layer, Application-layer, Web-based, SSL-based, volumetric and non-volumetric Maintains user data confidentiality Removes certificate key dependencies Accuracy of detection and mitigation for known and unknown attacks
- 13. As Simple as it Gets: Fully-Managed Cloud Security Service 24x7 dedicated team of security experts for fast mitigation under attack 13 Fully-managed 24/7 service by Radware’s battle-proven ERT 24/7 DDoS Protection Online Portal & Reporting On-Premise Device Management Periodic Security Consulting
- 14. Cloud DDoS Protection - Under Attack Example 14 Canadian Secure Email Service Provider Radware deployed Cloud DDoS Protection a few days into the campaign Attack traffic immediately diverted to Radware Scrubbing Center Legit traffic advanced to customer website restoring its operation Service resumed with no impact on customer’s business SOLUTION Pro-active monitoring in real time by Radware's ERT Immediate diversion to scrubbing center ensuring service continuity Ensure optimal application SLABENEFITS SITUATION DDoS protection service provider Staminus suffered a network outage and a data leakage caused by a DDoS attack Following Staminus takedown, the attack raged onto their clients A persistent multi-vector campaign reaching 130Gbps traffic blend
- 15. Be the First To Know with Full Visibility 15 Real-Time Monitoring Comprehensive Reporting Ticket Work Flow Management Role/User Based Access Control
- 16. Robust Global Cloud Security Network Segregate clean and attack traffic with dedicated scrubbing centers Over 2TB of global mitigation capacity 16 Radware Scrubbing Centers Radware Security Cloud
- 17. Radware Cloud WAF Service
- 18. Fully-managed enterprise-grade WAF service Operated by Radware ‘battle-proven’ ERT Using Radware’s WAF technology Full coverage of ALL OWASP Top-10 ICSA Labs certification Auto-policy generation for new applications 0-day web-attack protection IP-Agnostic attack protection with Device Fingerprinting Radware Cloud WAF Service 18 WEB APPLICATION FIREWALL Top 10-2013 The Ten Most CriticalWeb ApplicationSecurityRisks Unmatched Web Security Protection Web Application Attack Categories Covered TCP Termination & Normalization HTTP Protocol attack (e.g. HRS) Path traversal Base 64 and encoded attacks JSON and XML attacks Login Protection Password cracking – Brute Force Attack Signature and Rules Cross site scripting (XSS) Injections: SQL, LDAP OS commanding Server Side Includes (SSI) LFI/RFI Protection Local File Inclusion Remote File Inclusion Session Protection Cookie Poisoning Session Hijacking Data Leak Prevention Credit card number (CCN) Social Security (SSN) Regular Expression Access Control Predictable Resource Location Backdoor and debug resources File Upload attacks
- 19. Zero-Day Web Attack Protection Negative Security Model Blocks known attacks via known signatures and rules Standard across most WAF technologies Does not help protect from unknown vulnerabilities and 0-day attacks Positive Security Model Learns and defines what actions are allowed; all the rest is blocked Blocks unauthorized access or actions that are not permitted Protects from 0-day attacks and unknown vulnerabilities Higher layer of protection; more specific and tighter protection
- 20. Protect New Applications with Auto Policy Generation App Mapping Threat Analysis Policy Generation & Optimization Policy Activation BEST SECURITY COVEREGE OVER 150 attack vectors covered through auto threat analysis ~0false positives through auto-optimization of out-of-box rulesLOWEST FALSE-POSITIVES SECURITY ASSURANCE AUTO DETECT web application changes 20
- 21. Unique IP-Agnostic Fingerprinting Protection System Fonts Screen Resolution Browser Plug-ins Local IPs Device Reputation for bot detection and blocking 21 Operating System Beyond IP address blacklisting: detailed device fingerprinting through multiple parameters Enables precise activity tracking over time and development of IP-agnostic Device Reputation Provides advanced protection from: Website Scraping Brute Force Attacks HTTP Dynamic Floods Dynamic IP Attacks
- 22. Fingerprinting Case - Leading US Airline 22 Major US Airline Airline unable to sell the seats to real customers Dynamic source-IP attacks so security protection could not differentiate between “good” and “bad” bots Chose Radware’s WAF with fingerprinting technology to block dynamic IP attack Sophisticated attacks - bad bots programmed to “scrape” certain flights, routes and classes of tickets. Bots acting as faux buyers—continuously creating but never completing reservations on those tickets
- 23. Radware Cloud WAF Service - Offering Sets 23 GOLD Dedicated policy for each web application PCI Compliance ready policy Added protection from data and access centric attacks SILVER Single shared policy for multiple web applications Basic security offering to secure against common web attacks PLATINUM OWASP Top 10 coverage Extended security policy Zero-day attack protection Advanced attack protection Service available in three packages: DDoS protection of up-to 1 Gbps of attack traffic is included in all packages Volumetric DDoS-attack protection available at additional cost
- 24. Radware Cloud DDoS Protection Services
- 25. Radware Cloud DDoS Protection Service Fully-managed Cloud DDoS Protection Service Operated by Radware’s ‘battle-proven’ ERT Using Radware’s widely adopted DefensePro technology Full coverage of DDoS attacks, including SSL attacks 0-day attack mitigation: behavioral DDoS, auto signatures Unique SSL-DDoS protection: maintains user data confidentiality Over 2Tbps volumetric DDoS mitigation capacity Customer portal for real-time attack monitoring & reporting Full DDoS Attack Coverage As simple as it gets Network DoS Attacks UDP flood attacks SYN flood attacks TCP flood attacks ICMP flood attacks IGMP flood attacks Out-of-state flood attacks Volumetric DDoS attacks Application Misuse HTTP page flood attacks DNS flood attacks SIP Flood attacks Brute force attacks Network and port scanning Malware propagation Known attacks and tools Application vulnerabilities and exploits OS vulnerabilities and exploits Network infrastructure vulnerabilities Malware such as worms, Bots, Trojans and Drop-points, Spyware Anonymizers IPv6 attacks Protocol anomalies Application Misuse HTTP page flood attacks DNS flood attacks SIP Flood attacks Brute force attacks Network and port scanning Malware propagation 25
- 26. Unique Behavioral DDoS Detection Technology Behavior-Based Detection Radware Rate-Based Detection Non-Radware 26
- 27. Automatic Real-Time Signature Generation Automatic real-time signature generation for zero-day attacks Radware 18 SECONDS Manual signature generation for zero-day attacks Non-Radware 30 MINUTES Protections for zero-day attacks within seconds 27
- 28. Unique SSL DDoS Attack Mitigation L4 challenges initiated on suspicious traffic -> user is validated as legitimate Legitimate SSL connections are not deciphered -> no added latency, user data confidentiality is maintained Customer certificate management remains unchanged Covers all SSL DDoS threats, including Encoding, Evasion, and Single Packet attacks, and SQL injection over SSL ApplicationUser Domain ServerUser Radware Cloud Independent Certificate Management Validate User User Validated 28
- 29. Cloud DDoS Protection Service Deployment Alternatives Hybrid Cloud Always-on Cloud 29 On-Demand CloudCloud DDoS Protection Service
- 30. Cloud DDoS Protection – Flexible Deployment
- 31. Cloud DDoS Protection Service Deployment Alternatives Hybrid Cloud Always-on Cloud 31 On-Demand CloudCloud DDoS Protection Service
- 32. Hybrid Cloud DDoS Protection Service Detect where you can. Mitigate where you should. Integrates with on-premise attack mitigation device Minimal induced latency in peacetime - traffic diverted only when pipe saturation Shortest time to protect - mitigation starts immediately on-premise No protection gap when traffic is diverted to the cloud - DefenseMessaging for synchronized protection Single point of contact and extensive (optional) managed services - ERT Standard or Premium Recommended for organizations that can deploy CPE in their data center 32
- 33. Hybrid Cloud DDoS Protection Service Protected OrganizationRadware Cloud DDoS Protection service ERT and the customer decide to divert the traffic Defense Messaging Sharing essential information for attack mitigation 33 On-premises CPE mitigates the attack AppWallDefensePro Protected Online Services Internet Large volumetric DDoS attack that saturates the pipe DefensePros
- 34. Sharing essential information for attack mitigation Hybrid Cloud DDoS Protection Service Protected OrganizationRadware Cloud DDoS Protection Service Internet Clean traffic 34 Defense Messaging ERT and the customer decide to divert the traffic DefensePros AppWallDefensePro Protected Online Services
- 35. Cloud DDoS Protection Service Deployment Alternatives Hybrid Cloud Always-on Cloud 35 On-Demand CloudCloud DDoS Protection Service
- 36. Always-On Cloud DDoS Protection Service Recommended for organizations that have apps on public cloud or cannot deploy a CPE in their data center Shortest time to protection – traffic continuously routed through Radware’s cloud POPs, at all times Minimal need for customer involvement – proactively fully-managed by Radware ERT Unlimited service – supports unlimited # of attacks, size and duration Additional cost for always routed traffic As simple as it gets: Let Radware handle it all 36
- 37. Always-On Cloud DDoS Protection Service 37 Protected OrganizationRadware Cloud DDoS Protection service Internet Clean traffic All traffic is always routed through Radware Cloud service; all attack traffic cleaned by Radware DefensePro No on-premise device DefensePros Protected Online Services AppWall
- 38. Cloud DDoS Protection Service Deployment Alternatives Hybrid Cloud Always-on Cloud 38 On-Demand CloudCloud DDoS Protection Service
- 39. On-Demand Cloud DDoS Protection Service Recommended for organizations looking for lowest cost solution and less sensitive to real-time detection of application-level and SSL-based DDoS attacks Traffic diverted to cloud only upon volumetric DDoS attacks. No on-premise appliance. Diversion based on link utilization thresholds, flow statistics, or manually Attack volume unlimited, but limitation on annual number of diversions ERT Standard service only: supporting attack mitigation on-demand Limited ability to detect application-level DDoS attacks Lowest cost. Simplest deployment model. 39
- 40. Protected OrganizationRadware Cloud DDoS Protection service 40 Attack is launched against the organization Internet Large volumetric DDoS attack that saturates the pipe DefensePro No on-premise device On-Demand Cloud DDoS Protection Service DefensePros Protected Online Services AppWall
- 41. Protected OrganizationRadware Cloud DDoS Protection service Internet Clean traffic 41 ERT and customer decide to divert traffic based on link utilization or flow statistics, or manually On-Demand Cloud DDoS Protection Service Link utilization or flow statistics DefensePros Protected Online Services AppWall
- 42. Cloud DDoS Protection Service Deployment Alternatives Hybrid Cloud Always-on Cloud 42 On-Demand Cloud Traffic diverted only when pipe saturation Minimal induced latency in peacetime Unlimited # of attacks, size and duration ERT Standard or Premium (managed service) Minimal need for customer involvement Unlimited # of attacks, size and duration ERT Premium service level only Additional cost for always routed traffic Lowest cost; Simplest deployment Detection based on link utilization thresholds or flow stats Limitation on annual number of diversions ERT Standard service only Limited ability to detect application-level and SSL-based DDoS attacks For organizations that can deploy CPE in their data center For organizations that have apps on public cloud or cannot deploy CPE in their data center For organizations that that are less sensitive to real-time detection of application-level and SSL- based DDoS attacks
- 43. Summary
- 44. Shortest time to protect Best in class security As simple as it gets Why Radware Ever Evolving Threats Ever Evolving Applications Ever Limiting Resources Continuously Adaptive Unmatched Protection Fully Managed Automatically detect & mitigate zero-day attacks Automatically detect & protect new applications Automatically identify & block attacks regardless of source IP (Fingerprinting) Widest security coverage Unique SSL-Based Attack Mitigation Positive and negative security models 24/7 Always-On Protection Battle-Proven ERT Team Robust Global Cloud Security Network 44
Editor's Notes
- #7: http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/
- #8: http://savvyapps.com/blog/how-often-should-you-update-your-app http://www-03.ibm.com/software/businesscasestudies/lb/en/corp?synkey=C023976H17338X93 http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=AB&infotype=PM&htmlfid=RAC14375USEN&attachment=RAC14375USEN.PDF#loaded https://www.quora.com/How-often-do-major-software-companies-push-code-to-production
- #9: http://www.hp.com/hpinfo/newsroom/press_kits/2014/RSAConference2014/Ponemon_IT_Security_Jobs_Report.pdf http://blog.vsoftconsulting.com/blog/what-does-an-understaffed-it-department-look-like
- #16: Real-Time Monitoring Across all Radware Security Modules 3rd Party Event Notifications Comprehensive Reporting Historical Reporting Engine Customizable Dashboards Advanced Forensics Reports Compliance Reports Ticket Work Flow Management Event Correlation Engine Role/User Based Access Control
- #19: Unmatched Enterprise-grade Web Security Protection The Hybrid Cloud WAF Service is based primarily on Radware's web application firewall – AppWall. Provides FULL coverage from ALL the OWASP top-10 attacks Is ICSA Labs certified Supports both negative and positive security models: Positive security policies are based on behavioral analysis technology. The security technology learns what the possible inputs per each web page are and what the typical values per each input field are. It then locks the policy to the allowed ranges of values. positive security profiles are a proven protection against zero-day attacks. Negative security policies are based on static signature detection technology. The WAF module stores a signature file that covers thousands of known application vulnerabilities and exploits that are checked against every user transaction. Once a signature match is found – the session is terminated and the attack is blocked Has the unique ability to generate policies automatically: Patent-protected technology to create and maintain security policies for the widest security coverage with the lowest false positives and lowest operational effort. A four step flow to create and maintain security policies – Application Mapping, Threat Analysis, Policy Generation, Policy Activation No other WAF can do that and it eliminates many of the complexities involved with setting up and configuring existing WAF solutions.
- #23: Major US Airline Experienced sophisticated attacks where bad bots were programmed to “scrape” certain flights, routes and classes of tickets. Bots were acting as faux buyers—continuously creating but never completing reservations on those tickets Resulting in the airline unable to sell the seats to real customers Invested in security protection but wasn’t able to differentiate between the “good” bots and the “bad” ones as the attackers dynamically changed the source IP. Chose Radware’s AppWall with fingerprinting technology to block dynamic IP attacks Lead example for need for Fingerprinting technology – blocking beyond source IP Emphasize the ability to differentiate between good and bad bots Highlight the challenges with source IP blocking with the growing dynamic IP attacks
- #27: This is another unique capability in Radware’s solution. We are able to detect attacks more accurately, with lower false positives, by using patent protected behavioral analysis algorithm. Using this, we can accurately differentiate between a spike of traffic that is legitimate (for example – a marketing campaign or promotion) and a spike of traffic that is illegitimate – an attack. Compare to a rate-based technology that simply blocks traffic above a certain rate and, in this way, blocks legitimate traffic as well, we will not block your legitimate traffic and allow users to access your applications during peak traffic times as they should.
- #33: Why do we start here? These customers already know Radware and enjoy our products and services. They are uniquely positioned to benefit from an integrated ADC and security solution – to really extend their Radware ADC into a full solution that helps ensure the availability and security of their applications. Offering Radware’s attack mitigation solution to these existing customers is all about promoting the hybrid, integrated and single-vendor solution. They will enjoy additional protection with a synchronized system that exchanged messaging between the ADC and attack mitigation devices to get the best possible protection. They will get a robust SSL solution that is unmatched in the industry. Look at DTCC – The US Depository Trust & Clearing Corporation is a financial services company that provides clearing and settlement services to the financial market. Today it settles the vast majority of security transactions in the US and operates multiple facilities in the US and outside as well. DTCC has been a Radware ADC customer for over 15 years and they were using Prolexic for DDos mitigation. However their encrypted HTTPS traffic was not protected. Radware was able to leverage the trust and partnership to sell them our attack mitigation solution that includes DefensePro and our SSL mitigation solution. They purchased a total of 10 boxes for 5 data centers globally for a total $1.1M deal size.
- #34: When an Attack Starts On-premise attack mitigation device (DefensePro) mitigates attacks in real-time without ERT involvement Defense Messaging DefensePro sends ‘pipe utilization’ messages to DefensePipe Defense Messages include also baselines and attack footprint so once diverted, the attack is immediately mitigated accurately – no learning curve Single Point of Contact Once a pre-defined threshold is reached, the ERT asks for the customer approval to divert the traffic to the cloud Attack is handled with the customer from inception at the customer’s premise
- #35: When an Attack Starts On-premise attack mitigation device (DefensePro) mitigates attacks in real-time without ERT involvement Defense Messaging DefensePro sends ‘pipe utilization’ messages to DefensePipe Defense Messages include also baselines and attack footprint so once diverted, the attack is immediately mitigated accurately – no learning curve Single Point of Contact Once a pre-defined threshold is reached, the ERT asks for the customer approval to divert the traffic to the cloud Attack is handled with the customer from inception at the customer’s premise
- #37: Why do we start here? These customers already know Radware and enjoy our products and services. They are uniquely positioned to benefit from an integrated ADC and security solution – to really extend their Radware ADC into a full solution that helps ensure the availability and security of their applications. Offering Radware’s attack mitigation solution to these existing customers is all about promoting the hybrid, integrated and single-vendor solution. They will enjoy additional protection with a synchronized system that exchanged messaging between the ADC and attack mitigation devices to get the best possible protection. They will get a robust SSL solution that is unmatched in the industry. Look at DTCC – The US Depository Trust & Clearing Corporation is a financial services company that provides clearing and settlement services to the financial market. Today it settles the vast majority of security transactions in the US and operates multiple facilities in the US and outside as well. DTCC has been a Radware ADC customer for over 15 years and they were using Prolexic for DDos mitigation. However their encrypted HTTPS traffic was not protected. Radware was able to leverage the trust and partnership to sell them our attack mitigation solution that includes DefensePro and our SSL mitigation solution. They purchased a total of 10 boxes for 5 data centers globally for a total $1.1M deal size.
- #38: When an Attack Starts On-premise attack mitigation device (DefensePro) mitigates attacks in real-time without ERT involvement Defense Messaging DefensePro sends ‘pipe utilization’ messages to DefensePipe Defense Messages include also baselines and attack footprint so once diverted, the attack is immediately mitigated accurately – no learning curve Single Point of Contact Once a pre-defined threshold is reached, the ERT asks for the customer approval to divert the traffic to the cloud Attack is handled with the customer from inception at the customer’s premise
- #40: Why do we start here? These customers already know Radware and enjoy our products and services. They are uniquely positioned to benefit from an integrated ADC and security solution – to really extend their Radware ADC into a full solution that helps ensure the availability and security of their applications. Offering Radware’s attack mitigation solution to these existing customers is all about promoting the hybrid, integrated and single-vendor solution. They will enjoy additional protection with a synchronized system that exchanged messaging between the ADC and attack mitigation devices to get the best possible protection. They will get a robust SSL solution that is unmatched in the industry. Look at DTCC – The US Depository Trust & Clearing Corporation is a financial services company that provides clearing and settlement services to the financial market. Today it settles the vast majority of security transactions in the US and operates multiple facilities in the US and outside as well. DTCC has been a Radware ADC customer for over 15 years and they were using Prolexic for DDos mitigation. However their encrypted HTTPS traffic was not protected. Radware was able to leverage the trust and partnership to sell them our attack mitigation solution that includes DefensePro and our SSL mitigation solution. They purchased a total of 10 boxes for 5 data centers globally for a total $1.1M deal size.
- #41: When an Attack Starts On-premise attack mitigation device (DefensePro) mitigates attacks in real-time without ERT involvement Defense Messaging DefensePro sends ‘pipe utilization’ messages to DefensePipe Defense Messages include also baselines and attack footprint so once diverted, the attack is immediately mitigated accurately – no learning curve Single Point of Contact Once a pre-defined threshold is reached, the ERT asks for the customer approval to divert the traffic to the cloud Attack is handled with the customer from inception at the customer’s premise
- #42: Link utilization thresholds by SNMP trap; MIB. Periodically sampled by our NOC every 1 min (configurable). Provides only throughput data. Threshold usually configured as 75% link utilization over 30 min. Flow statistics collected by our NOC. Router is configured to periodically sent to us (every 1 min.) the flow statistics. Thresholds allow some baselining of peacetime legit traffic, so volumetric attack detection is more granular. However, application-level attacks on specific resources is not available, such as SSL attacks that aim to starve SSL connection per second capacity, or HTTP DDOS.